How do I automate Kubernetes deployment YAML without relying on :latest?


How do I automate Kubernetes deployment YAML without relying on :latest?



I have a repository with a Kubernetes deployment YAML. Pipelines run on each commit that builds and pushes an image into our repository, versioned with the commit (eg. my_project:bm4a83). Then I'm updating the deployment image


my_project:bm4a83



kubectl set image deployment/my_deployment my_deployment=my_project:bm4a83.


kubectl set image deployment/my_deployment my_deployment=my_project:bm4a83



This works, but I also want to keep the rest of the deployment YAML specification in version control.



I thought I could just keep it in the same repository, but that means my changes that may only be infrastructure (eg, changing replicas) triggers new builds, without code changes.


replicas



What felt like it made the most sense was keeping the deployment YAML in a totally separate repository. I figured I can manage all the values from there, independently from actual code changes. The only problem with that is the image key would need to be kept up to date. The only way around that, is working with some floating :latest-type version, but I don't really think that's ideal.


image


:latest



What's a sensible workflow for managing this? Am I missing something entirely?




2 Answers
2



What's a sensible workflow for managing this? Am I missing something entirely?



Some of the answer depends on the kind of risk you're trying to drive down with any process you have in place. If it's "the cluster was wiped out by a hurricane and I need to recover my descriptors," then Heptio Ark is a good solution for that. If the risks are more "human-centric," then IMHO you will have to walk a very careful line between locking down all the things and crippling the very agile, empowering, tools that kubernetes provides to a team. A concrete example of that model running up against your model is: what happens when a developer edits a Deployment but does not (remember|know) to update the descriptor in the repo? So do you revoke the edit rights? Use some diff-esque logic to detect a changed in-cluster config?



To speak to something you said specifically: it is a highly suboptimal idea to commit a descriptor change just to resize a (Deployment|ReplicationController|StatefulSet). Separately, a well-built CI pipeline would also understand if no buildable artifact changed and bail out (either early, or not even triggering a build, if the CI tool is that smart).


(Deployment|ReplicationController|StatefulSet)



Finally, if you do want to carry on with the current situation, then the best practice I can think of is textual replacement right before applying a descriptor:


$ grep "image: " the-deployment.yml
image: example.com/something:#CI_PIPELINE_IID#
$ sed -i'' -e "s/#CI_PIPELINE_IID#/${CI_PIPELINE_IID}/" the-deployment.yml
$ kubectl apply -f the-deployment.yml



so that the copy in the repo remains textually pristine, and also isn't inadvertently actually applied since it won't actually result in a runnable Deployment.





I think I've settled on having the image updated how you suggested. I'm going to keep all the scaling configuration out of here, manage that in a separate repository. Our CI tool (using Bitbucket Pipelines at the moment) doesn't have any baked-in magic for handling unchanged artifacts. My pedantry over keeping everything in a repository is secondary to rolling out unnecessary deployments. Thanks!
– Richard Taylor
Jun 30 at 19:04



but I also want to keep the rest of the deployment YAML specification in version control.



Yes, you want to do that. Putting everything under version control is a good practice to achieve immutable infrastructure.



If you want the deployment to have a separate piece of metadata (for whatever auditing / change tracking reason), why can't you just leverage the Kubernetes metadata block?


metadata


metadata:
name: my_deployment
commit: bm4a83



Then you inject such information through Jinja, Ruby ERBs, Go Templates, etc.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Render GeoTiff to on browser with leaflet

Render GeoTiff to on browser with leaflet I have a big GeoTiff Image with following gdalinfo : Driver: GTiff/GeoTIFF Files: ImageNew.tif Size is 8501, 8544 Coordinate System is: PROJCS["WGS 84 / Pseudo-Mercator", GEOGCS["WGS 84", DATUM["WGS_1984", SPHEROID["WGS 84",6378137,298.257223563, AUTHORITY["EPSG","7030"]], AUTHORITY["EPSG","6326"]], PRIMEM["Greenwich",0, AUTHORITY["EPSG","8901"]], UNIT["degree",0.0174532925199433, AUTHORITY["EPSG","9122"]], AUTHORITY["EPSG","4326"]], PROJECTION["Mercator_1SP"], PARAMETER["central_meridian",0], PARAMETER["scale_factor",1], PARAMETER["false_easting",0], PARAMETER["false_northing",0], UNIT["metre",1, A
Read more

How to get chrome logged in user's email id through website

How to get chrome logged in user's email id through website I visited wishfin.com and one minute later I received their promotional email. I know this could be by chance but I am curious to know that if it is possible to get chrome logged in user's email id through website e.g. javascript ? Sorry, if this question is not relevant but I Googled it too, I have got no clue. javascript 1 Answer 1 Access to the chrome profile information is controlled through the chrome.identity API - specifically getProfileUserInfo. Docs It returns the email & a UUID for the signed in profile. However you must give the website permission for them to get this data, specifically the identity.email permission. Unless you gave them the permission, the website did not receive your email from google chrome. By clicking "Post Your Answer", you acknowledge that
Read more

using states in a react-navigation without redux

using states in a react-navigation without redux as written in the react-navigation page: Warning: in the next major version of React Navigation, to be released in Fall 2018, we will no longer provide any information about how to integrate with Redux and it may cease to work. In the next version of react-navigation it could be hard to use redux with react-navigation. My question is: what can I do to use states (and passing states between screens) in a react-navigation app without using redux? 2 Answers 2 For children of navigator react-navigation gives you an withNavigation HOC, so you can easily wrap the component inside it to access the navigation state and navigate. withNavigation Why you integrate react navigation with redux? For me, I want to be able to perform navigation actions from outside of my components(screens). Eg: Redux-saga. If we don't integrate, we can't navigate via red
Read more